Warning: Permanently added '10.128.1.36' (ECDSA) to the list of known hosts. executing program [ 38.841599][ T93] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 39.121731][ T93] usb 1-1: too many configurations: 150, using maximum allowed: 8 [ 39.921320][ T93] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 39.930484][ T93] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.938526][ T93] usb 1-1: Product: syz [ 39.942758][ T93] usb 1-1: Manufacturer: syz [ 39.947356][ T93] usb 1-1: SerialNumber: syz [ 39.992501][ T93] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 40.611111][ T93] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 41.013237][ T21] usb 1-1: USB disconnect, device number 2 [ 41.860706][ T93] usb 1-1: Service connection timeout for: 256 [ 41.867134][ T93] ================================================================== [ 41.875259][ T93] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 41.881925][ T93] Read of size 4 at addr ffff8881cd33de94 by task kworker/1:2/93 [ 41.889712][ T93] [ 41.892043][ T93] CPU: 1 PID: 93 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 41.900187][ T93] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.910261][ T93] Workqueue: events request_firmware_work_func [ 41.916478][ T93] Call Trace: [ 41.919853][ T93] dump_stack+0xef/0x16e [ 41.924073][ T93] print_address_description.constprop.0.cold+0xd3/0x415 [ 41.931085][ T93] ? vprintk_func+0x7d/0x113 [ 41.935653][ T93] ? kfree_skb+0x32/0x3d0 [ 41.939986][ T93] __kasan_report.cold+0x37/0x7d [ 41.944931][ T93] ? kfree_skb+0x32/0x3d0 [ 41.949271][ T93] ? kfree_skb+0x32/0x3d0 [ 41.953588][ T93] kasan_report+0x33/0x50 [ 41.957916][ T93] check_memory_region+0x173/0x1d0 [ 41.963007][ T93] kfree_skb+0x32/0x3d0 [ 41.967317][ T93] htc_connect_service.cold+0xa9/0x109 [ 41.972796][ T93] ath9k_wmi_connect+0xd2/0x1a0 [ 41.977631][ T93] ? ath9k_fatal_work+0x20/0x20 [ 41.982492][ T93] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 41.988543][ T93] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 41.994165][ T93] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.000562][ T93] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 42.005824][ T93] ? lockdep_init_map_waits+0x26a/0x7c0 [ 42.011370][ T93] ? __raw_spin_lock_init+0x34/0x100 [ 42.016651][ T93] ? tasklet_init+0x69/0x110 [ 42.021224][ T93] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.026677][ T93] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 42.033328][ T93] ? usb_submit_urb+0x6ed/0x1460 [ 42.038255][ T93] ? usb_free_urb.part.0+0x52/0x110 [ 42.043983][ T93] ? usb_free_urb+0x1b/0x30 [ 42.048500][ T93] ath9k_htc_hw_init+0x31/0x60 [ 42.053289][ T93] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.059969][ T93] ? ath9k_hif_usb_resume+0x320/0x320 [ 42.065323][ T93] request_firmware_work_func+0x126/0x242 [ 42.071024][ T93] ? request_firmware_into_buf+0x90/0x90 [ 42.076635][ T93] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 42.082170][ T93] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 42.087456][ T93] ? _raw_spin_unlock_irq+0x1f/0x30 [ 42.092631][ T93] process_one_work+0x965/0x1630 [ 42.097552][ T93] ? lock_release+0x720/0x720 [ 42.102206][ T93] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.107585][ T93] ? rwlock_bug.part.0+0x90/0x90 [ 42.112542][ T93] worker_thread+0x96/0xe20 [ 42.117032][ T93] ? process_one_work+0x1630/0x1630 [ 42.122256][ T93] kthread+0x326/0x430 [ 42.126306][ T93] ? kthread_create_on_node+0xf0/0xf0 [ 42.131662][ T93] ret_from_fork+0x24/0x30 [ 42.136053][ T93] [ 42.138449][ T93] Allocated by task 93: [ 42.142596][ T93] save_stack+0x1b/0x40 [ 42.146729][ T93] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 42.152346][ T93] kmem_cache_alloc_node+0xdc/0x330 [ 42.157530][ T93] __alloc_skb+0xba/0x5a0 [ 42.161855][ T93] htc_connect_service+0x2cc/0x840 [ 42.166958][ T93] ath9k_wmi_connect+0xd2/0x1a0 [ 42.171802][ T93] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.178197][ T93] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.183636][ T93] ath9k_htc_hw_init+0x31/0x60 [ 42.188379][ T93] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.193991][ T93] request_firmware_work_func+0x126/0x242 [ 42.199754][ T93] process_one_work+0x965/0x1630 [ 42.204709][ T93] worker_thread+0x96/0xe20 [ 42.209194][ T93] kthread+0x326/0x430 [ 42.213252][ T93] ret_from_fork+0x24/0x30 [ 42.217669][ T93] [ 42.219988][ T93] Freed by task 0: [ 42.223701][ T93] save_stack+0x1b/0x40 [ 42.228000][ T93] __kasan_slab_free+0x117/0x160 [ 42.232925][ T93] kmem_cache_free+0x9b/0x360 [ 42.237595][ T93] kfree_skbmem+0xef/0x1b0 [ 42.241994][ T93] kfree_skb+0x102/0x3d0 [ 42.246241][ T93] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 42.251869][ T93] hif_usb_regout_cb+0x115/0x1c0 [ 42.256801][ T93] __usb_hcd_giveback_urb+0x29a/0x550 [ 42.262153][ T93] usb_hcd_giveback_urb+0x368/0x420 [ 42.267330][ T93] dummy_timer+0x125e/0x32b4 [ 42.271936][ T93] call_timer_fn+0x1ac/0x700 [ 42.276504][ T93] run_timer_softirq+0x5f9/0x1500 [ 42.281528][ T93] __do_softirq+0x21e/0x9aa [ 42.286177][ T93] [ 42.288593][ T93] The buggy address belongs to the object at ffff8881cd33ddc0 [ 42.288593][ T93] which belongs to the cache skbuff_head_cache of size 224 [ 42.303163][ T93] The buggy address is located 212 bytes inside of [ 42.303163][ T93] 224-byte region [ffff8881cd33ddc0, ffff8881cd33dea0) [ 42.316493][ T93] The buggy address belongs to the page: [ 42.322123][ T93] page:ffffea000734cf40 refcount:1 mapcount:0 mapping:0000000070997840 index:0x0 [ 42.331207][ T93] flags: 0x200000000000200(slab) [ 42.336140][ T93] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 42.344707][ T93] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 42.353281][ T93] page dumped because: kasan: bad access detected [ 42.359681][ T93] [ 42.362422][ T93] Memory state around the buggy address: [ 42.368032][ T93] ffff8881cd33dd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.376073][ T93] ffff8881cd33de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.384131][ T93] >ffff8881cd33de80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 42.392182][ T93] ^ [ 42.397719][ T93] ffff8881cd33df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.405760][ T93] ffff8881cd33df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.413975][ T93] ================================================================== [ 42.422022][ T93] Disabling lock debugging due to kernel taint [ 42.428372][ T93] Kernel panic - not syncing: panic_on_warn set ... [ 42.434967][ T93] CPU: 1 PID: 93 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 42.444496][ T93] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.455174][ T93] Workqueue: events request_firmware_work_func [ 42.461341][ T93] Call Trace: [ 42.464616][ T93] dump_stack+0xef/0x16e [ 42.468850][ T93] panic+0x2aa/0x6e1 [ 42.472723][ T93] ? add_taint.cold+0x16/0x16 [ 42.477416][ T93] ? retint_kernel+0x10/0x10 [ 42.481991][ T93] ? kfree_skb+0x32/0x3d0 [ 42.486319][ T93] ? trace_hardirqs_on+0x55/0x200 [ 42.491321][ T93] ? kfree_skb+0x32/0x3d0 [ 42.495631][ T93] end_report+0x4d/0x53 [ 42.499764][ T93] __kasan_report.cold+0x72/0x7d [ 42.504691][ T93] ? kfree_skb+0x32/0x3d0 [ 42.509614][ T93] ? kfree_skb+0x32/0x3d0 [ 42.513933][ T93] kasan_report+0x33/0x50 [ 42.518249][ T93] check_memory_region+0x173/0x1d0 [ 42.523356][ T93] kfree_skb+0x32/0x3d0 [ 42.527496][ T93] htc_connect_service.cold+0xa9/0x109 [ 42.532935][ T93] ath9k_wmi_connect+0xd2/0x1a0 [ 42.537767][ T93] ? ath9k_fatal_work+0x20/0x20 [ 42.542622][ T93] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 42.548673][ T93] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 42.554284][ T93] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.560701][ T93] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 42.566103][ T93] ? lockdep_init_map_waits+0x26a/0x7c0 [ 42.571652][ T93] ? __raw_spin_lock_init+0x34/0x100 [ 42.576924][ T93] ? tasklet_init+0x69/0x110 [ 42.581496][ T93] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.586968][ T93] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 42.593626][ T93] ? usb_submit_urb+0x6ed/0x1460 [ 42.598558][ T93] ? usb_free_urb.part.0+0x52/0x110 [ 42.603734][ T93] ? usb_free_urb+0x1b/0x30 [ 42.608338][ T93] ath9k_htc_hw_init+0x31/0x60 [ 42.613092][ T93] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.618712][ T93] ? ath9k_hif_usb_resume+0x320/0x320 [ 42.624087][ T93] request_firmware_work_func+0x126/0x242 [ 42.629808][ T93] ? request_firmware_into_buf+0x90/0x90 [ 42.635448][ T93] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 42.641076][ T93] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 42.646495][ T93] ? _raw_spin_unlock_irq+0x1f/0x30 [ 42.651673][ T93] process_one_work+0x965/0x1630 [ 42.656648][ T93] ? lock_release+0x720/0x720 [ 42.661312][ T93] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.666675][ T93] ? rwlock_bug.part.0+0x90/0x90 [ 42.671592][ T93] worker_thread+0x96/0xe20 [ 42.676074][ T93] ? process_one_work+0x1630/0x1630 [ 42.681260][ T93] kthread+0x326/0x430 [ 42.685320][ T93] ? kthread_create_on_node+0xf0/0xf0 [ 42.690686][ T93] ret_from_fork+0x24/0x30 [ 42.695123][ T93] Kernel Offset: disabled [ 42.699442][ T93] Rebooting in 86400 seconds..